Certified Data Center Segment

Description

Certified Data Center Segment service provides hosting of business and state information systems with high requirements for information protection, including meeting the international standards, Russian legislation, and certification tests.

The service includes:

• Certified infrastructure that meets the requirements for the first level of personal data protection and the first class of information systems protection;
• Network physical isolation from Selectel networks and the networks of other data center clients using a dedicated hardware firewall;
• Administrative access to the dedicated firewall management for total control over the network security of your information system;
• 24/7 technical support;
• Equipment switching according to the standard or individual connection scheme;
• Ability to use certified information protection tools by subscription;
• Provision of the layout of technical means, their structure, and serial numbers, borders of the controlled area;
• Access to IPMI via dedicated network equipment;
• All necessary changes during the maintenance of the infrastructure are always agreed with the customer in advance;
• Delimitation of responsibilities:
  • Selectel is responsible for meeting regulatory requirements for equipment installation and physical access control;
  • The customer is responsible for the protection of their information systems and remote access.

Common Selectel cross connect equipment is used when ordering dedicated servers without installation in a certified data center segment. Servers and network equipment are located in different racks, and the layout is a trade secret.

Billing and Payment

Top up your Main Balance to pay for the service.

Enabling the Service

The service includes:

• renting Custom dedicated server;
• a separate Firewall service;
• a separate Hosting in a Certified Data Center Segment service for the server and firewall.

Connection Scheme

Before ordering the service, specify the connection scheme (standard or individual one in accordance with «Conditions for usage or individual services: Certified DС segment»), as well as a list of prescheduled additional services and protection measures.

Server Configuration

Specify the dedicated server configuration in the configurator. The Server is subject to the «Conditions for usage or individual services: Certified DС segment».

Firewall

You need to order a firewall to host a server in the data center. To do this, go to the Firewalls tab of the Network Services section of the Control panel and select the required one.

Certified firewalls are also available in the Control panel. When using them, a «Certificate for installation of protection tools" is provided.

If the required version of the firewall is not available, please create a ticket. We will provide the necessary information about the service and time of delivery.

Protection Tools as a Service

If necessary, you can order additional certified protection tools for which Access for information protection tools applies:

• Secret Net LSP
• Secret Net Studio
• ViPNet SafeBoot
• Kaspersky Endpoint Security

Hosting in a Certified Data Center Segment

Create a ticket with a request to install equipment in the Certified Data Center Segment. Specify the selected connection scheme, server configuration, ordered firewall number, required OS, disk layout, and, if necessary, additional protection measures.

When ordering the service, it is important that the number of ordered «Hosting equipment (1U) in a Certified Data Center Segment» services corresponds to the number of units taken by the server and firewall.

Processing Requests

After receiving a request, we check the correctness of the ordered services, compatibility of the components and protection tools. If everything is correct, and the hardware platform is compatible with the selected tools, you will receive the description of the final configuration and a request to confirm it. Otherwise, we will offer an alternative configuration that is compatible with the selected protection tools.

After your approval, the server assembly will start.

Provision of Services

We will prepare the infrastructure and provide access data: address, login and password of the firewall; connection scheme; data for accessing the server via IPMI; operating system and disk layout.

When using certified information protection tools, a «Certificate for protection tools installation" is provided.

To continue working with the infrastructure, you should take into consideration that the network is physically isolated from Selectel networks and the networks of other clients, so you cannot manage it from my.selectel panel, and you need to configure the infrastructure using firewall. For the same reason, you cannot connect a load balancer.

At this stage, the public IP address is set on the firewall, and the private (local) IP address is set on the server. Therefore, you need to configure the rules to access the server.

Basic Setup

Firewall

You need to set up forwarding of the following ports to access the IPMI server:

• TCP 80: HTTP
• TCP 443: HTTPS
• TCP 5900: virtual keyboard and a mouse
• TCP 5901: graphical console
• TCP 5120: virtual CD/DVD drive
• TCP 5123: virtual FDD drive
• UDP 623: IPMI

The same setting is performed for any service hosted on a server behind a firewall. For example, for RDP remote control, TCP port 3389 must be forwarded, and TCP port 22 must be forwarded for SSH.

Installing the OS

You need to connect the ISO image to the server to install the OS yourself. There are several ways to do this:

• create a ticket in the Control panel with a request to connect the external media with the OS to the server;
• mount an ISO image via the IPMI console: Virtual Media -> Virtual Storage -> ISO File -> select an image -> Plug in.

Service Cancellation

If you no longer need the Hosting in a Certified Data Center Segment service, disable monthly payments for the Dedicated servers service:

1. Open the server’s card and go to the Services tab.
2. Open the (⋮) menu and click Disable monthly payments.

The service will be disabled automatically when the paid period ends. The server itself and all data stored on the server will automatically be deleted at the end of the paid period. All additional services connected to this server («Hosting equipment (1U) in a Certified Data Center Segment», Firewall, additional protection tools) will also be disabled.

If you cancel the service before the end of the paid period, the funds for the full unused months will be returned. See more in the Disabling servers article.

You will receive a corresponding notification in case of the outstanding bill for the «Hosting equipment (1U) in a Certified Data Center Segment» service. If you cancel the service or in case of non-payment after 7 days, the equipment is dismounted.

When using certified protection tools, you will receive a «Certificate of protection tools withdrawal».

Documents

• User agreement
• Guidelines for using of functionality and services
• Providing dedicated server
• Certified DC center
• Access to information protection tools

Information Systems Certification

For the certification of information systems located on dedicated servers in the certified data center segment, we will provide the layout of the rented servers relative to the borders of the controlled area, which is necessary for execution of certification tests.

Personal Data Processing Assignment

You need to sign an assignment for processing personal data if personal data is processed on dedicated servers in a certified data center segment. To do this, please create a ticket in the Control panel with the following information:

1. Level of personal data protection:
   • level 1;
   • level 2;
   • level 3;
   • level 4.
2. Personal data categories:
   • special personal data categories;
   • biometric personal data categories;
   • other personal data categories;
   • public personal data categories.
3. Categories of personal data subjects:
   • employees of the personal data operator;
   • non-employees of the personal data operator.
4. Number of subjects whose personal data are being processed:
   • less than 100 000;
   • more than 100 000.
5. Type of immediate threats according to the Regulation № 1119 of November 1, 2012, of the Government of the Russian Federation “On Approval of the Requirements to Personal Data Protection in the course of Its Processing in Personal Data Information Systems”:
   • type 1 threats — associated with the presence of undocumented (undeclared) capabilities in the system software;
   • type 2 threats — associated with the presence of undocumented (undeclared) capabilities in the application software;
   • type 3 threats — not associated with the presence of undocumented (undeclared) capabilities in the system and application software.

Based on this data, we will prepare an assignment that can be signed using electronic document management.